If you look at password changes over time there’s a direct correlation between the amount of entropy per password change and the number of times you change your password. The longer you’ve been at an organization the worse your password is because you’re forced to change it more often.

He went on to say that this is because, “you settle on a scheme.”

Patrick wanted him to write a report on this—which would be fantastic—but Adam said he’s too busy.

And 2FA of course.

But I thought it was a brilliant nugget, and too good not to capture.

Basically, empirical data showing that if you’re using super-strong passwords—that are unique—it’s markedly worse to force users to change them often because the organization will end up with weaker ones over time.

Good to know.

And I do hope Adam eventually writes that paper.

Notes

This has always been intuitive to me, and I’m sure many others, that if you rely on the human they’ll build security that matches their limitations (in this case memory). This is why there’s been such a push for password managers. It was just so interesting to hear about actual data collected to support our intuition.

Some might say we’ve not yet seen the data, so we can’t really come to any conclusions. My response is that you have to choose to trust if you want to expand your knowledge of the world beyond your own experience. And the Risky Business show, Patrick, and Adam are definitely on that list for me.